Crypto-Erase: More Relevant than Ever

We have had a number of inquiries from our customers and partners regarding cryptographic erase lately, so I decided to do a little research and make it the subject of my blog for this month.

I had a look at a White Paper on our web site from January 2011, “Reduce the Total Cost of Ownership of Laptops and Desktops; Effective end-of-life drive sanitization and disposal” and was pleased to see that it is still relevant. Despite the title it is mostly about crypto erase. It states that at the time, “Regulatory agencies and encryption professionals are currently studying crypto erase as a potential sanitization method of future updates to publications like NIST SP 800‐88.” That led me to this NIST document which was updated in Sept 2012. NIST SP 800-88, Guidelines for Media Sanitization, is a bit dry and technical, but what I got out of it is that NIST now sees crypto erase as a legitimate sanitization tool given the appropriate caveats including:

The underlying encryption is FIPS 140 validated

The encryption was turned on before any sensitive data was written to the media

If there are any backups of the encryption keys they are stored separately and securely away from the crypto erased device.

It is hard and time consuming to sanitize gigabytes or even terabytes of data from modern drives. The main idea behind crypto erase is that if the data was properly encrypted already, then all one really has to do is wipe the encryption key and call it a day. Or as NIST puts it, “Thus, with <crypto erase>, sanitization may be performed with high assurance much faster than with other sanitization techniques.”

It is worth noting that SecureDoc has supported crypto erase for many years now for both software encryption and self-encrypting drives. This includes a feature where the SES (SecureDoc Encryption Server) administer can send a crypto erase command to a remote SecureDoc protected client machine, and then record the action in the SES database for compliance reasons.

Or

Leave a Comment

comments

Tagged Under:

Garry, a CISSP, has more than 30 years of experience in data communications and information security. He has contributed to the development of WinMagic's full-disk encryption solutions for desktops, laptops, and other mobile devices. When he is not saving the world of data encryption, he takes off his cape to relax and enjoy life at the cottage. Garry writes from a position of technical expertise since we first started SecureSpeak, making him the longest running blogger at WinMagic. Garry McCracken

The Site is open to the public. Therefore, consider your comments carefully and do not include anything in a comment that you would like to keep private. By uploading or otherwise making available any information to WinMagic in the form of user generated comments or otherwise, you grant Winmagic the unlimited, perpetual right to distribute, display, publish, reproduce, reuse and copy the information contained therein.

You are responsible for the content you post. You may not impersonate any other person through the blog. You may not post content that is obscene, defamatory, threatening, fraudulent, invasive of another person’s privacy rights, or is otherwise unlawful. You may not post content that infringes the intellectual property rights of any other person or entity. You may not post any content that contains any computer viruses or any other code designed to disrupt, damage, or limit the functioning of any computer software or hardware.

By submitting or posting content on the blog, you grant WinMagic and any company substantially under its control, the right to remove any content or comment that, in WinMagic’s sole judgment, does not comply with the posting guideline, the terms of this website or is otherwise objectionable. You also grant WinMagic and any company substantially under its control the right to modify, adapt, and edit any content.

Your use of this blog is subject to the terms of use of the website on which this blog is hosted blog.winmagic.com. Because WinMagic values your thoughtful opinions, we encourage you to add a comment to this discussion. However, please don’t be offended if we edit your comments for clarity or to keep out questionable matters, and we may even delete off-topic comments. Any opinions expressed within the blog are those of the author and not necessarily held by WinMagic itself. The information on this blog may be changed without notice and is not guaranteed to be complete, correct, timely, current or up-to-date. Similar to any printed materials, the information on this blog may become out-of-date. Winmagic undertakes no obligation to update any information on the blog; provided, however, that WinMagic may update the information on this blog at any time without notice in WinMagic’s sole and absolute discretion.